Researchers at F5 Labs, the threat intelligence arm of F5 Networks, have uncovered a new malware campaign dubbed “CryptoSink” used deploy an XRM (Monero) mining operation targeting Elastisearch systems.
Key features include:
- The campaign exploits a five-year-old vulnerability (CVE-2014-3120) in Elasticsearch systems running on Windows and Linux
- On Linux, it delivers several previously unknown malwares which weren’t detected by antivirus solutions
- It uses previously unseen methods to kill competing crypto-miners on the infected machine and to persist on the server (by replacing the Linux remove command)
- It backdoors the server by adding the attacker’s SSH keys.
- It uses several command and control (C&C) servers; the current live C&C is located in China.
The rise of crypto mining botnets and the decline in crypto currency value makes this a tougher competition. For full details on the attack:https://www.f5.com/labs/articles/threat-intelligence/-cryptosink–campaign-deploys-a-new-miner-malware